Grype database or disk is full on large Docker images

When Grype or stereoscope scans a large Docker image through the local socket and fails with database or disk is full or no space left on device, measure the scanner temp path, Grype cache, Docker root dir, and container filesystem before pruning anything.

Read-only scanner triage

Find whether the full path is host disk, Docker root, scanner temp, cache volume, or tmpfs.

This command reports sizes only. It does not delete images, volumes, caches, or scan results.

docker info -f 'DockerRootDir={{ .DockerRootDir }}'; df -hT; df -h "$(docker info -f '{{ .DockerRootDir }}')" 2>/dev/null; docker system df -v; docker run --rm alpine sh -c 'df -hT /tmp; mount | grep " /tmp" || true'; docker volume ls; docker volume inspect dockhand-grype-db --format '{{ .Mountpoint }}' 2>/dev/null | xargs -r -I{} sudo du -sh "{}" 2>/dev/null

Request $99 invoice Open GitHub invoice issue View team sample

Copy-ready issue reply

Use this before changing scanner cache or pruning Docker volumes.

Paste this into an issue when a vulnerability scan fails on a large image and the host appears to have free space.

Before deleting Docker data, separate the paths that can report "disk full" during a Grype/stereoscope scan:

docker info -f 'DockerRootDir={{ .DockerRootDir }}'
df -hT
df -h "$(docker info -f '{{ .DockerRootDir }}')" 2>/dev/null
docker system df -v
docker run --rm alpine sh -c 'df -hT /tmp; mount | grep " /tmp" || true'
docker volume ls
docker volume inspect dockhand-grype-db --format '{{ .Mountpoint }}' 2>/dev/null | xargs -r -I{} sudo du -sh "{}" 2>/dev/null

If /tmp or the scanner cache is small, move Grype/stereoscope temp/cache to a larger filesystem. If Docker root is tight, prune rebuildable images/build cache first. Review named volumes before any volume prune because monitoring databases and app state often live there.

Turn this into a $99 team policy GitHub invoice issue

Need the safest next step?

Send the scanner failure and storage summary.

Paste the Grype error, Docker root dir, host disk summary, and whether named volumes contain state. We will reply with the lowest-risk cleanup or cache relocation path.

Shortest paid path

Need a repeatable scanner storage policy for a team?

The $99 pilot turns one representative Grype, Docker, or CI scan failure into a safe/review/protected cleanup and cache-placement policy within 48 hours.

Common false leads

df -h / can look healthy while Docker root, scanner temp, or a cache volume is the actual limit.
A large image can fail during tar extraction even when the final image size looks acceptable.
Named volumes with zero reclaimable space can still contain application state; do not use broad volume prune as the first fix.

Turn repeated scanner failures into a team policy

SafeDisk reviews one representative scan failure and returns the exact cache, temp, image, and volume cleanup order your team can reuse.

Request $99 team pilot See sample